Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Lotus Domino > Domino security > Installing and Running the Domino keyring tool
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

TLS Cipher Configuration
This article describes how to configure SSLTLS cipher specifications in IBM Domino 9.0.1 FP5

HTTP Strict Transport Security (HSTS)
How to configure Domino for HTTP Strict Transport Security

Unable to connect to patched Domino servers using SSLv2 backwards compatibility mode
All support for SSLv2 was removed by the IBMDominoTLS1.0Interim Fixes that added support for TLS 1.0 and TLSFALLBACKSCSV to IBM Domino. This includes the SSLv2 handshake messages that were used to enable backwards compatibility with servers that only supported SSLv2. SSLTLS clients that ...

Installing and Running the Domino keyring tool
This command line tool can be used to view keyring files, create keyring files, and import certificates of all kinds into keyring files. It uses the Notes C API and can be run against any 8.5.x or 9.x IBM NotesDomino installation, but can only be used with SHA2 certiifcates in 9.x, and can only ...

Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool
Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool
Community articleInstalling and Running the Domino keyring tool
Added by ~Joseph Nimweburings | Edited by ~Maria Xangerovitch on April 3, 2015 | Version 7
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
No abstract provided.
Tags: SHA-2, SSL, TLS
This command line tool can be used to view keyring files, create keyring files, and import certificates of all kinds into keyring files. It uses the Notes C API and can be run against any 8.5.x or 9.x IBM Notes/Domino installation, but can only be used with SHA-2 certiifcates in 9.x, and can only be used to import and delete trusted roots with interim fix 9.0 IF6 or 9.0.1 FP2 IF1.

To install, uncompress the zip file in your Notes/Domino program directory. In order to run on Windows, launch "kyrtool.exe" as shown below. To run on Linux, launch "/opt/ibm/domino/bin/tools/startup kyrtool" as shown below. The exact path to the "startup" command on Linux will vary based on your Notes/Domino installation path. If the tool is not being run from the same directory as your notes.ini file, the "=/path/to/notes.ini" parameter is required as shown below.

Download link for kyrtool:
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer&includeSupersedes=0&source=fc


Displaying the top level help text on Windows:

[C:\] kyrtool =c:\lotus\notes\notes.ini -h

KyrTool v1.0

kyrtool [=/path/to/notes.ini] command [subcommand] [flags]

Commands:
create Create a new keyring file
delete Delete a root in a keyring file
import Import into a keyring file
show Show information about a keyring file
verify Verify the content of a PEM import file

Use 'kyrtool [command] -h' to view help for each command.

The keyring password is stored in the STH file and will be
automatically read when using an existing keyring file.


Displaying the top level help text on Linux:

[~]$ /opt/ibm/domino/bin/tools/startup kyrtool =/home/domino/notesdata/notes.ini -h

KyrTool v1.0

kyrtool [=/path/to/notes.ini] command [subcommand] [flags]

Commands:
create Create a new keyring file
delete Delete a root in a keyring file
import Import into a keyring file
show Show information about a keyring file
verify Verify the content of a PEM import file

Use 'kyrtool [command] -h' to view help for each command.

The keyring password is stored in the STH file and will be
automatically read when using an existing keyring file.



[C:\] kyrtool =c:\lotus\notes\notes.ini create -h

KyrTool v1.0

kyrtool create [flags]

Creates a new Domino SSL keyring file

'Create' flags:
-h Display this help message and exit
-k Path to keyfile (Mandatory)
-p Keyring password (Mandatory)
-v Verbose mode; repeating increases verbosity level


[C:\] kyrtool =c:\lotus\notes\notes.ini show -h

KyrTool v1.0

Show information about an existing Domino SSL keyring file

kyrtool show certs [flags]
-c Also show DER encoding of certs
-i arg Input PEM file
-k arg Path to keyfile
One of -i or -k must be present
-o Check cert chain via OCSP (-i only)

kyrtool show keys [flags]
-i arg Input PEM file (*)
-k arg Path to keyfile (*)
One of -i or -k must be present

kyrtool show policy [flags]
-k arg Path to keyfile (Mandatory)

kyrtool show roots [flags]
-c Also show DER encoding of certs
-k arg Path to keyfile (Mandatory)
-n Also show DER encoding of names
-v At least one '-v' will display PEM encoding of certs for roots.

Common 'show' flags:
-h Print this help message
-v Verbose mode; repeating increases verbosity levels

By default 'show roots' will only output the names stored for the
root certificates; use '-v' to show the actual root certificates.

The API used for 'show keys' can only display key pairs that are
associated with a certificate.


[C:\] kyrtool =c:\lotus\notes\notes.ini import -h

KyrTool v1.0

Imports keys and certificates into a Domino SSL keyring file

kyrtool import all [flags]
-i arg Input PEM file (Mandatory)
-k arg Path to keyfile (Mandatory)

kyrtool import roots [flags]
-i arg Input PEM file (Mandatory)
-k arg Path to keyfile (Mandatory)

kyrtool import keys [flags]
-i arg Input PEM file (Mandatory)
-k arg Path to keyfile (Mandatory)
-n arg Distinguished name

kyrtool import certs [flags]
-i arg Input PEM file (Mandatory)
-k arg Path to keyfile (Mandatory)

Common 'import' flags:
-h Print this help message
-v Verbose mode; repeating increases verbosity levels

'import all' will import an RSA keypair and the server's certificate chain into the
keyring file. The input file must contain a '-----BEGIN RSA PRIVATE KEY-----' and
at least one '-----BEGIN CERTIFICATE-----' PEM blob.
This operation combines the functionality of 'import keys' and 'import certs'
without the need to correctly specify a distinguished name.
The 'kyrtool verify file.pem' command can be used to check the file before importing.

'import roots' will import one or more certificates into the keyring file as trusted roots.
The input file must contain one or more '-----BEGIN CERTIFICATE-----' PEM blobs.

'import keys' will import an RSA keypair into the keyring file, but requires
the distinguished name from the leaf cert (CN=www.example.com) as input.
The input file must contain a '-----BEGIN RSA PRIVATE KEY-----' PEM blob.
'kyrtool show keys -i file.pem' can be used to check the file before importing.

'import certs' will import the server's certificate chain into the keyring file.
The input file must contain one or more '-----BEGIN CERTIFICATE-----' PEM blobs.
The certificate chain must be ordered with the leaf first and the root last.
'kyrtool show certs -i file.pem' can be used to check the file before importing.


[C:\] kyrtool =c:\lotus\notes\notes.ini delete -h

KyrTool v1.0

Delete root certificate from a Domino SSL keyring file

kyrtool delete root [flags]
-k arg Path to keyfile (Mandatory)
-# arg Index of trusted root to delete. Index is displayed in the show roots command(Ma
ndatory)
-h Print this help message
-v Verbose mode; repeating increases verbosity levels



KYRTool Fix History:
1.0 Original Release: Nov 3, 2014
1.1 Bug Fix Release: Apr 2, 2015
 
>DKEN9U5UEX - Fix crash if pem file provided as input file has embedded nulls
 
>KLYH9UBNGW - Add Sha 256 Pinning to the kyrtool - displaying the digest on show commands
 
>MKIN9QHT5W - Fix kyrtool crashing when attempting the create command and giving an existing directory for the keyfile name
 
>DKEN9RVQGD - Fix kyrtool sometimes erroring on import all command

  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (7)Apr 3, 2015, 10:14:33 PM~Maria Xangerovitch  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility